Confidentiality: a contested value

Confidentiality is apparently an absolute ethical principle in medicine.1 It is of long standing, going at least as far back as Hippocrates and stated as: ‘All that may come to my knowledge in the exercise of my profession or in daily commerce with men, which ought not to be spread abroad, I will keep secret and will never reveal.’

The Oxford English Dictionary defines confidentiality as, ‘Spoken or written in confidence, characterised by the communication of secrets or private matters, betokening private intimacy, or the confiding of private secrets, enjoying the confidence of another person, entrusted with secrets, charged with a secret task’.

In short, confidentiality is about keeping information secret and private. No part of it is about ‘providing information’2 to anyone else. Confidentiality is very much a deontological virtue: it places a duty on one individual to another. And by this very focus on private interaction, it is honoured between individuals, and without consideration of the wider context, and despite the utility the private knowledge might have for others.

There are many good reasons to value confidentiality in medicine, in particular because it promotes trust between patient and doctor and allows fuller disclosure of the facts and context of an illness, which therefore allows fairer and more accurate assessment of symptoms and their meaning for the patient. In certain specialities, such as genitourinary medicine, this need for complete privacy is an over-riding priority to allow the clinical encounter to even begin.

Most models of our work in the consultation are based on the concept of the doctor and patient interacting in a private, confidential setting. And yet this likeable notion of doctor and patient interacting in privacy is not truly reflecting the reality of current medical practice, either for patients or doctors. The mismatch arises for several reasons.

First, confidentiality is actually difficult to maintain. Benjamin Franklin was aware of this saying, ‘Three may keep a secret, if two of them are dead’. Illustrating this in the primary care context, Professor Bernice Elger describes in this issue of the BJGP3 how she examined physician's attitudes to various scenarios, and whether they recognised the problem or not. Readers can enjoy trying the scenarios out for themselves and seeing if they agree with the reference panel of law professors. The message here is that, as doctors we do not fully understand confidentiality, and that we can easily breach it whether deliberately or inadvertently. As GPs we may not be discussing cases in hospital lifts anymore,4 but what about in the coffee room or at the reception counter?

Second, we are moving towards a model of shared holding of information whether on the basis of the NHS Connecting for Health and its summary care record (SCR), or whether by diffuse network storage of health records possibly via private providers such as Microsoft® or Google™. The Royal College of General Practitioners has recently expressed its support for the SCR.5 The Conservative Party6 is considering scrapping Connecting for Health and using commercially available systems for record storage with access shared between patient and doctor. These electronic systems offer great potential for information sharing, but the inevitable cost must be some loss of data security and breaches of confidentiality, as Ross Anderson, an expert on computer security engineering, pointed out.7

However, as medical care gets ever more fragmented, the need for complete and continuous records increases, and we as doctors and patients probably have to trade off some data security to allow decent medical care to occur. Think of the difference between seeing a patient you know in regular surgery with well summarised notes, and the information-poor position of an out-of-hours GP or an A&E doctor meeting the same patient for the first time after the surgery has closed. Is the security of the record, or the utility of the past history more important to doctor and patient here? Which will allow better care to be given?

Third, although we describe the doctor–patient consultation as confidential this is actually far from an accurate description of its current status. We need to update our model of the consultation to include the other people who often have a well justified interest in it and its outcomes. Consultations are rarely just between patient and doctor. We have the obvious third parties of relatives, employers, and insurance companies. We have the fact that patients use their illness to justify receiving welfare benefits and that these claims need to be checked. We have the fact that personal injury lawyers and negligence lawyers need to access the records. We sometimes need to prevent injury to others and so have a duty to breach confidentiality in some cases, such as drivers with uncontrolled epilepsy.

Beyond these scenarios we need to acknowledge that we work as part of a finite healthcare system, which pays for us, our prescribing, and referrals. The NHS as paymaster has a legitimate interest in checking the quality of these to make sure that overall resources are used well. Newdick8 points out how unhelpful many professional codes of practice are as they do not acknowledge this reality, and so lay down deontological duties on professionals that may not be fully deliverable with the time and resources the system can afford.

One of the ways in which we find out how we are, and how we should be, using resources is through research. The Wellcome Trust has done researchers, GPs, and patients a service with its recent balanced report on the use of data from GP records for research.9 The general practice record, especially when coded, anonymised, and available electronically, creates a rich database of useful information that can be mined for insight to help current and future patients. Surely the utilitarians will argue we should be doing this for the greater good of patients, doctors, and the NHS as a whole? Tim Kelsey,10 of the Dr Foster organisation, argues strongly that we should go in this direction, using readily available data to analyse patterns of activity, performance, and outcome.

We currently have two values in play about medical information. One is the old established notion of confidentiality. The newcomer is the need to acknowledge the role of others outside the individual consultation with whom information about the consultation needs to be shared; this is in terms of welfare benefits, clinical governance, and NHS system and treatment costs. With the advent of computerised records, the ability to share information increases significantly and the impact of this change is still being worked out. We cannot continue to pretend that the consultation occurs in a hermetically sealed bubble between two people. We need to move to a more realistic view of the significant others involved and their activities.

For the time being, as GPs we have some practical operational rules about information use.2 But they are not really about confidentiality. They are really about how and when we may breach it.

Ultimately, we will need to involve the public and legislators in a full debate on what medical information is, and should be, used for. The notion of confidentiality is about to undergo significant challenge and change.

• © British Journal of General Practice, 2009.